ASA 5510 need help with allowing certain ports through FW

Posted on 2009-12-29
Medium Priority
Last Modified: 2012-05-08
I am trying to configure a Cisco ASA 5510 which is connected to a 2801 router and then to ISP.
There is a basic config currently that is allowing access to internet.
Now, I have to allow access for internal network users to reach public remote Database service on a specific port. Do I need to get the public IP address for this DB service to be used for the subsequent required configuration?
In addition i need to allow some other general specific ports through the FW (443,17150,21,20)

I did a search for past Q's on this and could not find anything.

Is there an access-list template that someone can help me get going -

i was thinking something like this?

access-list acl_outside extended permit tcp any interface outside eq 9700
access-list acl_outside extended permit tcp any interface outside eq 443
access-list acl_outside extended permit tcp any interface outside eq 17150

access-group acl_outside in interface outside

I am pasting the current  config

ASA-5510-BR****# sh run
: Saved
ASA Version 8.2(1)
hostname ASA-5510-B****
domain-name bro****
enable password ******** encrypted
passwd ******** encrypted
interface Ethernet0/0
 nameif outside
 security-level 0
 ip address
interface Ethernet0/1
 nameif inside
 security-level 100
 ip address
interface Ethernet0/2
 no nameif
 no security-level
 no ip address
interface Ethernet0/3
 no nameif
 no security-level
 no ip address
interface Management0/0
 no nameif
 security-level 100
 ip address
boot system disk0:/asa821-k8.bin
ftp mode passive
clock timezone EST -5
clock summer-time EDT recurring
dns server-group DefaultDNS
 domain-name br********.org
access-list acl_outside extended permit tcp any interface outside eq 17149
pager lines 24
logging enable
logging timestamp

logging buffer-size 16384
logging buffered warnings
logging asdm informational
mtu outside 1500
mtu inside 1500
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-623.bin
asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1
route outside 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
aaa authentication ssh console LOCAL
aaa authentication http console LOCAL
http server enable
http inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
telnet timeout 5
ssh inside
ssh timeout 10
console timeout 10
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
username vb&&***** password *********d encrypted privilege 15
username administrator password n&&&&&&&.Cpu encrypted privilege 15
class-map inspection_default
 match default-inspection-traffic
policy-map type inspect dns migrated_dns_map_1
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns migrated_dns_map_1
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny
  inspect sunrpc
  inspect xdmcp
  inspect sip
  inspect netbios
  inspect tftp
  inspect icmp
  inspect icmp error
  inspect ils
service-policy global_policy global
prompt hostname context
: end
Question by:routeswitch
  • 2
  • 2
LVL 33

Expert Comment

ID: 26138538
If this traffic is going from the inside network to the outside (public internet), then be aware of 2 things:
1) Sending traffic from inside to outside requires a global NAT for traslation
2) If no Access-group is applied to the inside interface, then all traffic is allowed outbound.   If an ACL is applied to the inside (or any for that matter) then there is an implicit "deny any any " at the end of the ACL.  

So, assuming you have that NAT setup correctly, then you have 2 choices:
#1 - use no ACL and all traffic will flow from inside to outside
#2 - use an ACL with this format:
access-list inside_out extended permit tcp any any eq 9700
access-list inside_out extended permit tcp any any eq 443
access-list inside_out extended permit tcp any any eq 17150
access-list inside_out extended permit tcp any any eq 21
access-list inside_out extended permit tcp any any eq 20

access-group inside_out in interface inside


Author Comment

ID: 26138586
Thanks Mike,

config of nat is:

global (outside) 1 interface
nat (inside) 1
route outside 1

I guess that is a pretty basic config.... I dont think it would need modification right?

And also - like you said - if no ACL is applied - as current, then it should be able to connect regardless of any port correct? I have edited the question and applied the running-config to the question.
If i did use the ACL - then would i need to explicitly put statements for all common things like HTTP web browsing etc?
LVL 33

Accepted Solution

MikeKane earned 2000 total points
ID: 26138655
> If i did use the ACL - then would i need to explicitly put statements for all common things like HTTP web browsing etc?

Yes that would be correct.  

I see the config now.   Since you have no access-groups defined, then all traffic is allowed from inside to outside and all traffic is blocked from outside to inside.  

So if an inside client is trying to reach an outside host on 17150, then I see nothing preventing that.  

Now, since there is a 2801 router between the ASA outside and the ISP, I would also check the ACL's on the 2801.   There might be something there preventing the traffic from going outbound.


Author Closing Comment

ID: 31670792
Mike is the best!!

Featured Post

Free Tool: Path Explorer

An intuitive utility to help find the CSS path to UI elements on a webpage. These paths are used frequently in a variety of front-end development and QA automation tasks.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Securing your business data in current era should be your biggest priority. Numerous people are unaware of the fact that insiders commit more than 60 percent of security breaches. You need to figure out the underlying cause and invoke your potential…
With more and more companies allowing their employees to work remotely, it begs the question: What are some of the security risks involved with remote employees and what actions should we take to secure them?
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
This video Micro Tutorial shows how to password-protect PDF files with free software. Many software products can do this, such as Adobe Acrobat (but not Adobe Reader), Nuance PaperPort, and Nuance Power PDF, but they are not free products. This vide…
Suggested Courses

864 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question